Objectives

70-294: MCSE Guide to Microsoft Windows Server 2003 Active

Directory, Enhanced

Chapter 4: Active Directory

Architecture

Guide to MCSE 70-294, Enhanced 2

Objectives

• Describe the underlying database of Active Directory

• Describe the Active Directory schema and how it can be extended

• Describe the different Active Directory partitions and their functions


Active Directory Physical Database Storage

• Layers• Provide the directory service

• Include:• Extensible Storage Engine (ESE)

• Database layer

• Directory Service Agent (DSA)


Active Directory Layers


Active Directory Physical Database Storage

• Extensible Storage Engine:• Lowest level

• Directly responsible for manipulating database

• All objects stored in nonhierarchical form • Rows in database table

• Database layer:• Responsible for providing object-oriented hierarchical

view


Active Directory Physical Database Storage (continued)

• Directory Service Agent: • Third layer

• Responsible for enforcing semantics • Govern how objects in Active Directory are created and

manipulated

• Only adjacent layers communicate with one another


Extensible Storage Engine

• Active Directory store: • Transactional database

• Based on Extensible Storage Engine

• Transaction• Each addition, modification, or deletion

• Needed data is loaded from disk to memory


Extensible Storage Engine (continued)

• Transaction • First thing that happens:

• Operation is logged to hard disk

• Modification transaction performs made to the in-memory copy of data

• Manipulating in-memory copy of data is faster that going to disk



• Least recently used:• Storing entire database in memory is not practical

• Move data that is no longer needed

• Write changes back to hard drive

• Least recently used algorithm to write to disk:• When memory is running low

• System is at a period of low activity



• Transactions:• ESE writes all transactions to log before they are made

to in-memory copy

• Next time domain controller starts, ESE can use transactions recorded in log

• Reapply changes to copy of data stored on hard disk

• Called recovering the database

• Done without user intervention



• Checkpoints:• Shorten recovery times

• Reduce amount of hard drive space logs take up

• Completed transactions written back to disk

• Fact that transactions were successfully written is noted

• ESE only needs to reapply transactions from point of last checkpoint

• Transactions can be deleted from log


Active Directory File Structure

• Files:• NTDS.DIT

• EDB.LOG

• EDBXXXXX.LOG

• EDB.CHK

• RES1.LOG and RES2.LOG

• TEMP.EDB


Active Directory Files


NTDS.DIT

• Actual Active Directory store• Stores all objects and their attributes• Located in %SYSTEMROOT%\ NTDS folder on

domain controllers• Made up of three tables:

• Schema table

• Data table

• Link table


EDB.LOG

• Current transaction log file• Changes to Active Directory are noted first in

transaction log file• Size of EDB.LOG is always 10 MB


EDBXXXXX.LOG

• When EDB.LOG is filled, it is renamed to EDBXXXXX.LOG

• XXXXX is a number increased by one each time a new log file is created

• Every 12 hours:• Garbage-collection process runs

• Deletes old EDBXXXXX.LOG


EDB.CHK

• Checkpoint file• System recovering from failure

• Uses EDB.CHK file to determine what transactions should be written to database


RES1.LOG and RES2.LOG

• Placeholder files • Reserve disk space• If domain controller runs out of free disk space,

uses reserved space from files• Prevents updates from being lost due to

insufficient disk space• Important:

• Include additional free space to store Active Directory database as it grows


TEMP.EDB

• Temporary storage space• Hold large transactions while they are in process• Used during maintenance operations


LDAP

• Primary protocol used to work with objects in Active Directory

• Vital to understand how to use LDAP naming paths


LDAP (continued)

• DN:• Every object in Active Directory has unique name

• Describes exactly where the object is located in the object hierarchy

• Made up of:• Name of the object

• All of parent objects above it in hierarchy


LDAP (continued)• RDN

• Identifies object within its container• Contains only name of object

• Acronyms for object names:• DC (Domain Component)

• Part of a domain name

• OU (Organizational Unit)• Name of an organizational unit

• CN (Common Name)• Name of most objects


LDAP (continued)

• Name example:• Lori Thompson located in dev.supercorp.net domain in

Research organizational unit

• DN: CN=Lori Thompson,OU=Research,DC=dev,DC=supercorp,DC=net

• RDN: CN=Lori Thompson


Active Directory Schema

• All available objects and attributes• Sets out exactly:

• What kind of objects are represented

• What properties or attributes are required or optional

• What types of values are acceptable

• Tool needed to modify the schema is not available by default


Activity 4-1: Registering Active Directory Schema Console

• Objective: Register the Active Directory Schema snap-in so you can view and modify the schema

• Follow instructions to register the console


Naming

• Every object class and attribute in the schema must have:• Unique common name

• LDAP display name

• Object Identifier (OID)


Common Name Rules

• Start name with registered DNS name of company • Separate each level of DNS name with hyphens (-)

instead of periods• Add another hyphen (-) at end of company’s name• Enter current year• Follow year with another hyphen (-)


Common Name Rules (continued)

• Choose product-specific prefix • Must be unique within company

• Identifies product or application of class or attribute

• Should begin with uppercase letter with additional letters using capitalization of your choice

• Follow product-specific prefix with hyphen (-) • Enter name of class or attribute separated by

hyphens


LDAP Display Name Rules

• Start with common name already created for class or attribute

• Make first character of product-specific prefix lowercase• Characters following first character may be uppercase

or lowercase


LDAP Display Name Rules (continued)

• Make every character in class or attribute part of name that is preceded by a hyphen (-) uppercase

• Remove all hyphens (-) after product-specific prefix


Example common names and LDAP display names


OID

• OID space must be obtained separately• Not part of registered DNS domain name

• Two primary ways to obtain an OID space:• Through Microsoft

• International Standards Organization (ISO)


Object Classes

• Definition of each type of object• Like a template from which objects are created• Inheritance• Class Types:

• Structural classes

• Abstract classes

• Auxiliary classes

• 88 classes


Object Classes (continued)

• Possible superiors• Controls which types of objects new object can be

instantiated or moved under

• Example: user object cannot be created (or moved) under a printer object


Activity 4-2: Creating a Structural Class

• Objective: Learn how to extend the Active Directory schema to include additional classes

• Use Active Directory Schema to create a new class


Attributes

• Schema contains list of all possible attributes• Class is assigned both mandatory and optional

attributes• Object is sum of its attributes• Syntaxes

• Defines data type attribute can store


Common Syntaxes


Common Syntaxes (continued)


Indexes

• Similar in concept to index in back of book• Store values (in order) for all objects that have a

given attribute• Speed up queries• Slow down creation of objects and updating of

attributes• Choose attributes that have highly unique values


Activity 4-4: Adding an Optional Attribute to a Class

• Objective: Learn how to add additional attributes to a class

• Use the Schema console to add an attribute to a class


Active Directory Partitions

• Database divided into groups called partitions, or naming contexts• Used to manage replication

• Partitions:• Schema partition

• Domain partition

• Configuration partition

• Application partition


Active Directory Partitions (continued)

• ADSI Edit:• Included with Windows Server 2003 Support Tools

• Used to view and modify objects in various Active Directory partitions


Active Directory Partitions (continued)


Schema

• Stores schema• Contains definitions of all classes and attributes in

entire forest• Replicated to all domain controllers in forest

• Content is the same throughout forest


Configuration

• Stores information about replication topology used in forest• Specifies how domain controller determines with which

other specific partners it replicates

• Found on all domain controllers • Same throughout forest


Domain

• Contains users, computers, groups, and organizational units created in Windows domain

• Replicated to all domain controllers in domain• Large amount of data• Usually partition that changes most frequently


Application

• Cannot contain security principals• Can be replicated to many different domains in

forest • Without necessarily being included on all domain

controllers

• Used when developer wants to store information in Active Directory


Summary

• Active Directory is made up of several layers: • Extensible Storage Engine (ESE),

• Database layer

• Directory Service Agent (DSA)

• By logging all transactions, ESE can reapply transactions in event of system failure and bring data back to a consistent state


Summary (continued)

• All objects and attributes available in Active Directory are defined in Active Directory schema

• To effectively manage replication of Active Directory, database is divided into groups called partitions

Objectives

Documents

active directory schema

directory serviceinclude

mcse guide

transactional database

entire database

database tabledatabase

upcompleted transactions

transaction log filesize